I get this on my log: --5d2d5838-A--
[17/May/2016:13:03:18 +0800] VzqmFgqA0uwAAA7nNtkAAAAW 66.220.158.117 29357 10.144.68.249 80 --5d2d5838-B-- GET /our-impact/protecting-the-environment/increasing-soil-health-and-productivity-of-rice-crops HTTP/1.1 User-Agent: facebookexternalhit/1.1 (+ http://www.facebook.com/externalhit_uatext.php) Accept: */* Accept-Encoding: deflate, gzip Range: bytes=0-524287 Host: irri.org Connection: close --5d2d5838-F-- HTTP/1.1 403 Forbidden Content-Length: 293 Connection: close Content-Type: text/html; charset=iso-8859-1 --5d2d5838-E-- --5d2d5838-H-- Message: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-524287"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] Action: Intercepted (phase 2) Stopwatch: 1463461398712034 9447 (- - -) Stopwatch2: 1463461398712034 9447; combined=438, p1=345, p2=53, p3=0, p4=0, p5=38, sr=183, sw=2, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. <http://2.2.0.9/> Server: Apache Engine-Mode: "ENABLED" --5d2d5838-Z-- On Tue, May 17, 2016 at 1:00 PM, T. Kenneth Lojo (IRRI) <t.l...@irri.org> wrote: > Can you point me to the right direction in correcting? It seems to be > blocking all links that we post on Facebook other than the homepage. Which > logs do I need to analyze? How do I circumvent? > > On Tue, May 17, 2016 at 12:57 PM, Christian Folini < > christian.fol...@netnea.com> wrote: > >> Kenneth, >> >> On Tue, May 17, 2016 at 12:28:54PM +0800, T. Kenneth Lojo (IRRI) wrote: >> > Our company has started using mod security as a web application firewall >> > and we used the OWASP core rule set. When we apply the CRS Facebook >> cannot >> > scrape our site and gives a 403 forbidden message. Can you provide >> > directions on how to correct this? Our website is http://irri.org >> >> This is typical behaviour for a new CRS install, which blocks >> what seem to be legitimate requests as false positives. >> >> If you want to continue in blocking mode, you need to tune the system. >> Which means you need to get rid of the false positives, by >> writing ModSec rules telling the engine to circumvent the said >> offending rules. >> >> Google for ModSecurity tuning and false positives. >> >> And good luck! >> >> Christian >> >> >> -- >> First you make it, then it works, then you invite people to >> make it better. >> -- Eben Moglen, Free Software Foundation >> > > > > -- > *T. Kenneth S. Lojo* > Specialist-Online Media Design > [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 > +63 928 209 1191 (mobile) > t.l...@irri.org <g.lav...@irri.org> > www.irri.org > [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] > <http://twitter.com/RiceResearch> [image: Flickr] > <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] > <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] > <http://www.scribd.com/IRRI_resources> [image: Linkedin] > <http://www.linkedin.com/company/international-rice-research-institute> > [image: > Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] > <https://plus.google.com/103972671963502739315> > > The International Rice Research Institute <http://irri.org> is a member > of the CGIAR <http://www.cgiar.org/> > -- *T. Kenneth S. Lojo* Specialist-Online Media Design [image: IRRI] <http://irri.org/> +63 2 580 5600 ext. 2703/2744 +63 928 209 1191 (mobile) t.l...@irri.org <g.lav...@irri.org> www.irri.org [image: Facebook] <http://www.facebook.com/IRRI.ricenews> [image: Twitter] <http://twitter.com/RiceResearch> [image: Flickr] <http://www.flickr.com/photos/ricephotos/collections/> [image: Youtube] <http://www.youtube.com/user/irrivideo/featured> [image: Scribd] <http://www.scribd.com/IRRI_resources> [image: Linkedin] <http://www.linkedin.com/company/international-rice-research-institute> [image: Soundcloud] <https://soundcloud.com/irri-radio> [image: Google+] <https://plus.google.com/103972671963502739315> The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://www.cgiar.org/> -- The International Rice Research Institute <http://irri.org> is a member of the CGIAR <http://cgiar.org> consortium
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
